2. Table of Contents

3. Introduction

NTS is a method for using TLS/SSL to authenticate NTP traffic on the net.
That means that bad guys can’t forge packets that will give your
system bogus time.

The RFC hasn’t been published yet (December 2019). Nothing has changed
recently, but there may be minor adjustments when it is finalized.

Note: The NTP Pool does not currently support NTS.

It is strongly suggested that you get a "normal", unauthenticated,
NTP server working before enabling NTS. This may reduce the time
spent debugging. See the Client Quick Start Guide.

4. NTS Client Configuration

Append the keyword nts to the end of your server lines. Do this only for
servers that speak NTS. If the server uses a port other than 123 for NTS key
exchange, you also need to specify the port number. As of December 2019, the
following should work:

Note that ntpd must be able to read both files and you want to
make sure that the bad guys can’t read your private key. It may
be simpler to copy those files over to /etc/ntp/ and adjust
their owner and mode so ntpd running as user ntp can read them.

You may need to tell your system where to store the keys used
to encrypt cookies. The default is /var/lib/ntp/nts-keys.
Some distros use /var/db/ rather than /var/lib/.

The t column shows how many cookies your NTS client is holding for the
appropriate servers. The number should be 8. Lower numbers indicate dropped
packets. (7 could be a packet in flight.)

The RFC calls for the server to rotate the private key used to
encrypt cookies every 24 hours. The server also saves the previous
key so old cookies will work for at least 24 hours. 24 hours and 8 cookies
will work for a polling interval of up to 3 hours. That’s much longer
than the default maxpoll of 10 (1024 seconds).

6.2. Check ntp variables

Try ntpq -c nts. This will show various counters related
to NTS. This feature is under active development, so the
format might change. An example: